VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 17, 2018· Updated Dec 17, 2025

CVE-2018-15473

CVE-2018-15473

Description

OpenSSH through 7.7 allows remote attackers to enumerate valid usernames due to improper handling of invalid authentication requests in auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenSSH through 7.7 allows remote attackers to enumerate valid usernames due to improper handling of invalid authentication requests in auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

Vulnerability

OpenSSH versions through 7.7 (and potentially later versions if unpatched) are vulnerable to a user enumeration flaw. The issue resides in the authentication handling code within auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. The server does not delay the bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, allowing an attacker to distinguish between valid and invalid usernames based on timing or error [4].

Exploitation

An unauthenticated remote attacker can send crafted authentication attempts to the SSH server. By observing the server's response time or behavior, the attacker can determine whether a username exists. Proof-of-concept exploit code is publicly available [3]. The attack requires no special privileges or user interaction; any system running an affected OpenSSH version is vulnerable.

Impact

Successful exploitation allows an attacker to enumerate valid usernames on the target system. While this does not directly lead to a full compromise, it significantly reduces the effort required for targeted attacks, as the attacker can focus on password guessing or credential stuffing against known user accounts. The vulnerability is classified as an information disclosure issue.

Mitigation

Patched versions have been released: OpenSSH 7.8 and later include the fix. Red Hat issued updates via RHSA-2019:0711 [1] and RHSA-2019:2143 [2] for affected RHEL versions. Users should upgrade to the latest patched version of OpenSSH. If an upgrade is not immediately possible, administrators can consider logging and monitoring authentication attempts for suspicious patterns as a temporary workaround. The vulnerability is not known to be exploited in the wild, but it is listed in some exploit databases [3].

References
  1. https://access.redhat.com/errata/RHSA-2019:0711
  2. https://access.redhat.com/errata/RHSA-2019:2143
  3. OffSec’s Exploit Database Archive
  4. security - OpenSSH Username Enumeration

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

47

Patches

1
779974d35b48

delay bailout for invalid authenticating user until after the packet

https://github.com/openbsd/srcdjmJul 31, 2018via osv
commit
3 files changed · +28 19
  • usr.bin/ssh/auth2-gss.c+7 4 modified
    @@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-gss.c,v 1.28 2018/07/10 09:13:30 djm Exp $ */
+/* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */
 
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -65,9 +65,6 @@ userauth_gssapi(struct ssh *ssh)
 	size_t len;
 	u_char *doid = NULL;
 
-	if (!authctxt->valid || authctxt->user == NULL)
-		return (0);
-
 	if ((r = sshpkt_get_u32(ssh, &mechs)) != 0)
 		fatal("%s: %s", __func__, ssh_err(r));
 
@@ -101,6 +98,12 @@ userauth_gssapi(struct ssh *ssh)
 		return (0);
 	}
 
+	if (!authctxt->valid || authctxt->user == NULL) {
+		debug2("%s: disabled because of invalid user", __func__);
+		free(doid);
+		return (0);
+	}
+
 	if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
 		if (ctxt != NULL)
 			ssh_gssapi_delete_ctx(&ctxt);
  • usr.bin/ssh/auth2-hostbased.c+6 5 modified
    @@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-hostbased.c,v 1.35 2018/07/09 21:35:50 markus Exp $ */
+/* $OpenBSD: auth2-hostbased.c,v 1.36 2018/07/31 03:10:27 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -66,10 +66,6 @@ userauth_hostbased(struct ssh *ssh)
 	size_t alen, blen, slen;
 	int r, pktype, authenticated = 0;
 
-	if (!authctxt->valid) {
-		debug2("%s: disabled because of invalid user", __func__);
-		return 0;
-	}
 	/* XXX use sshkey_froms() */
 	if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 ||
 	    (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 ||
@@ -116,6 +112,11 @@ userauth_hostbased(struct ssh *ssh)
 		goto done;
 	}
 
+	if (!authctxt->valid || authctxt->user == NULL) {
+		debug2("%s: disabled because of invalid user", __func__);
+		goto done;
+	}
+
 	if ((b = sshbuf_new()) == NULL)
 		fatal("%s: sshbuf_new failed", __func__);
 	/* reconstruct packet */
  • usr.bin/ssh/auth2-pubkey.c+15 10 modified
    @@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.82 2018/07/11 18:55:11 markus Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.83 2018/07/31 03:10:27 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -86,19 +86,15 @@ userauth_pubkey(struct ssh *ssh)
 {
 	Authctxt *authctxt = ssh->authctxt;
 	struct passwd *pw = authctxt->pw;
-	struct sshbuf *b;
+	struct sshbuf *b = NULL;
 	struct sshkey *key = NULL;
-	char *pkalg, *userstyle = NULL, *key_s = NULL, *ca_s = NULL;
-	u_char *pkblob, *sig, have_sig;
+	char *pkalg = NULL, *userstyle = NULL, *key_s = NULL, *ca_s = NULL;
+	u_char *pkblob = NULL, *sig = NULL, have_sig;
 	size_t blen, slen;
 	int r, pktype;
 	int authenticated = 0;
 	struct sshauthopt *authopts = NULL;
 
-	if (!authctxt->valid) {
-		debug2("%s: disabled because of invalid user", __func__);
-		return 0;
-	}
 	if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 ||
 	    (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 ||
 	    (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0)
@@ -164,6 +160,11 @@ userauth_pubkey(struct ssh *ssh)
 				fatal("%s: sshbuf_put_string session id: %s",
 				    __func__, ssh_err(r));
 		}
+		if (!authctxt->valid || authctxt->user == NULL) {
+			debug2("%s: disabled because of invalid user",
+			    __func__);
+			goto done;
+		}
 		/* reconstruct packet */
 		xasprintf(&userstyle, "%s%s%s", authctxt->user,
 		    authctxt->style ? ":" : "",
@@ -180,7 +181,6 @@ userauth_pubkey(struct ssh *ssh)
 #ifdef DEBUG_PK
 		sshbuf_dump(b, stderr);
 #endif
-
 		/* test for correct signature */
 		authenticated = 0;
 		if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
@@ -191,7 +191,6 @@ userauth_pubkey(struct ssh *ssh)
 			authenticated = 1;
 		}
 		sshbuf_free(b);
-		free(sig);
 		auth2_record_key(authctxt, authenticated, key);
 	} else {
 		debug("%s: test pkalg %s pkblob %s%s%s",
@@ -202,6 +201,11 @@ userauth_pubkey(struct ssh *ssh)
 		if ((r = sshpkt_get_end(ssh)) != 0)
 			fatal("%s: %s", __func__, ssh_err(r));
 
+		if (!authctxt->valid || authctxt->user == NULL) {
+			debug2("%s: disabled because of invalid user",
+			    __func__);
+			goto done;
+		}
 		/* XXX fake reply and always send PK_OK ? */
 		/*
 		 * XXX this allows testing whether a user is allowed
@@ -235,6 +239,7 @@ userauth_pubkey(struct ssh *ssh)
 	free(pkblob);
 	free(key_s);
 	free(ca_s);
+	free(sig);
 	return authenticated;
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

18

News mentions

0

No linked articles in our index yet.